When Control‑M submits a job the following checks are made:
For RACF:
PERMIT jcl‑library‑name ACC(READ) ID(USERA)
For TSS:
TSS PERMIT (USERA) DSN(jcl-library-name) ACC(READ)
For ACF2/SAF:
COMP
$KEY(jcl-library-name)
UID(USERA) ALLOW
For RACF security, parameter GROUP is optionally added to the job statement and set to the RACF default group.
If the USER parameter exists, the user ID or //*JOBFROM value (for ACF2 users) specified is not the same as the owner of the job definition, and parameter MSUBCHK is set to N (No), the job submission is cancelled.
If the USER parameter exists, the user ID specified is not the same as the owner, and parameter MSUBCHK is set to Y (Yes), the class checked is
[SURROGAT | ACIDCHK | CMF] and the entity checked is
cl-userid.SUBMIT | the JCL user ID | $SUBMIT.cl-userid].
userid is the user ID assigned to the job being submitted.
For a started task, the CLASS checked is FACILITY. The entity checked is $$STRSTC.qname.stcname
For RACF:
PERMIT $$STRSTC.qname.SYSMON ACCESS(READ) ID(USERA) CLASS(FACILITY)
For TopSecret:
TSS PERMIT(USERA) IBMFAC($$STRSTC.qname.SYSMON) ACC(READ)
For ACF2/SAF:
SET RESOURCE(CMF)
COMP
$KEY($$STRSTC.qname.STC1) TYPE(CMF)
UID(USERA) ALLOW
Parent Topic |